Security Issues with Invoking O/S Commands from PL/SQL via Extern al

On metalink there is an example of a C program which can be compiled as a
shared object to allow the invoking of any OS command from PL/SQL. The use
of this cabability puts one in a bittersweet situation. Sweet because
invoking such commands allows one to things heretofore impossible; bitter
because someone could issue "cd / rm -rf *" - a command which might make
you and Bill Law the best of friends.

Nevertheless a generic "shell.so" file I beleive can be used safely under
the following conditions: the external procedure listener is not run under
oracle, but under a non-privileged account such as nobody; no one is
granted execute permissions on the library associated with the shared
object; no one is given create library privileges; the procedures which
actually communicate with the shared object are placed in a package to which
no one is granted privileges; a package containing procedures, one for each
allowable OS command, is created with the commands specified with their
complete paths. It is to this last package execute permissions are given.

Anyone see any holes. The idea is to allow users to invoke only those OS
commands specified in the last package mentioned above.